Architecture for asymmetric crypto-key storage

ABSTRACT

Techniques for securing an asymmetric crypto-key having a public key and a split private key with multiple private portions are provided. A first one of multiple factors is stored. All of the factors are under the control of a user and all are required to generate a first private portion of the split private key. The first private portion not stored in a persistent state. A second private portion of the split private key under control of an entity other than the user is also stored. The first private portion and the second private portion are combinable to form a complete private portion.

RELATED APPLICATIONS

This application is related to U.S. application Ser. No. ______, filedconcurrently herewith, and entitled “TECHNIQUE FOR ASYMMERIC CRYPTO-KEYGENERATION” [Attorney Docket No. 3001-32], U.S. application Ser. No.______, filed concurrently herewith, and entitled “MULTIPLE FACTORPRIVATE PORTION OF AN ASYMMETRIC KEY” [Attorney Docket No. 3001-33],U.S. application Ser. No. ______, filed concurrently herewith, andentitled “AUTHENTICATION PROTOCOL USING A MULTI-FACTOR ASYMMETRIC KEYPAIR” [Attorney Docket No. 3001-34], U.S. application Ser. No. ______,filed concurrently herewith, and entitled “ROAMING UTILIZING ANASYMMETRIC KEY PAIR” [Attorney Docket No. 3001-35], U.S. applicationSer. No. ______, filed concurrently herewith, and entitled “ASYMMETRICKEY PAIR HAVING A KIOSK MODE” [Attorney Docket No. 3001-36], and U.S.application Ser. No. ______, filed concurrently herewith, and entitled“TECHNIQUE FOR PROVIDING MULTIPLE LEVELS OF SECURITY” [Attorney DocketNo. 3001-37]. This application is also related to U.S. application Ser.No. 09/739,260, filed Dec. 19, 2000, and entitled “SYSTEM AND METHOD FORCRYPTO-KEY GENERATION AND USE IN CRYPTOSYSTEM” [Attorney Docket No.3001-07], U.S. application Ser. No. 10/849,818, filed May 21, 2004, andentitled “ONE TIME PASSWORD ENTRY TO ACCESS MULTIPLE NETWORK SITES”[Attorney Docket No. 3001-07A-CNT], which is a continuation of U.S.application Ser. No. 09/739,114, filed Dec. 19, 2000, (now abandoned)and U.S. application Ser. No. 09/739,260, filed Dec. 19, 2000, U.S.application Ser. No. 09/739,112, filed Dec. 19, 2000, and entitled “HIGHSECURITY CRYPTO SYSTEM” [Attorney Docket No. 3001-07B], U.S. applicationSer. No. 09/739,113, filed Dec. 19, 2000, and entitled “SECURECOMMUNICATIONS NETWORK WITH USER CONTROL OF AUTHENTICATED PERSONALINFORMATION PROVIDED TO NETWORK ENTITIES” [Attorney Docket No.3001-07C], U.S. application Ser. No. 09/739,119, filed Dec. 19, 2000,and entitled “METHOD AND SYSTEM FOR AUTHORIZING GENERATION OF ASYMMETRICCRYPTO KEYS” [Attorney Docket No. 3001-07D], U.S. application Ser. No.09/739,118, filed Dec. 19, 2000, and entitled “SYSTEM AND METHOD FORAUTHENTICATION IN A CRYPTO SYSTEM UTILIZING SYMMETRIC AND ASYMMETRICCRYPTO KEYS” [Attorney Docket No. 3001-07E], and U.S. application Ser.No. 09/739,111, filed Dec. 19, 2000, and entitled “SYSTEM AND METHOD FORGENERATION AND USE OF ASYMMETRIC CRYPTO KEYS EACH HAVING A PUBLICPORTION AND MULTIPLE PRIVATE PORTIONS” [Attorney Docket No. 3001-07F].This application claims priority based upon Provisional U.S. applicationSer. No. ______, filed Jan. 18, 2005, and entitled “THE TRICIPHERARMORED CREDENTIAL SYSTEM” [Attorney Docket No. 3001-30PROV], thecontents of which are incorporated herein in their entirety byreference.

TECHNICAL FIELD

This invention relates to cryptosystems. More particularly, the presentinvention relates to split key cryptosystem having multiple levels ofsecurity.

BACKGROUND ART

Today, computing devices are almost always interconnected via networks.These networks can be large closed networks, as within a corporation, ortruly public networks, as with the Internet. A network itself might havehundreds, thousands or even millions of potential users. Consequently itis often required to restrict access to any given networked computer orservice, or a part of a networked computer or service, to a subset ofthe users on the public or closed network. For instance, a brokeragemight have a public website accessible to all, but would like to onlygive Ms. Alice Smith access to Ms. Alice Smith's brokerage account.

Access control is an old problem, tracing its roots to the earliest daysof computers. Passwords were among the first techniques used, and tothis day remain the most widely used, for protecting resources on acomputer or service.

In its simplest form, known as single factor authentication, every userhas a unique password and the computer has knowledge of the userpassword. When attempting to log on Alice would enter her userid, sayalice, and password, say apple23, the computer would compare the pair,i.e. alice, apple23, with the pair it had stored for Alice, and if thereis a match would establish a session and give Alice access.

This simple scheme suffers from two problems. First, the tablecontaining the passwords is stored on the computer, and thus representsa single point of compromise. If Eve could somehow steal this table, shewould be able to access every user's account. A second problem with thisapproach is that when Alice enters her password it travels from herterminal to the computer in the clear, and Eve could potentiallyeavesdrop. Such eavesdropping is known as a Man-In-The-Middle attack.For instance the “terminal” could be Alice's PC at home, and thecomputer could be a server on the Internet, in which case her passwordtravels in the clear on the Internet. It will be recognized by thosewith ordinary skill in the art that a Man-in-The-Middle attack can gobeyond eavesdropping to modify the contents of the communication.

Various solutions have been proposed and implemented to solve these twoissues. For instance, to solve the first problem of storing the passwordon the computer, the computer could instead store a one way function ofthe password. E.g. F(apple23)=XD45DTY, and the pair {alice, XD45DTY}. Inthis example as F( ) is a one way function, computing XD45DTY fromapple23 is easy, but as it is a “one way function”, the reverse isbelieved to be computationally difficult or close to impossible. So whenAlice logs on and sends the computer {alice, apple23}, the computer cancompute F(apple23) and compare the result with XD45DTY. The UNIXoperating system was among the first to implement such a system in the1970's. However, this approach, while solving the problems due to thestorage of the password on the computer, does not solve the problem ofthe password traveling in the clear.

Multiple factor authentication also exists as a solution to the problemsinherent with single factor authentication. In multiple factorauthentication, at least knowledge of, if not actual possession of, atleast two factors must be shown for authentication to be complete. Itshould be understood that in multiple factor authentication, each factorremains separate. That is, the factors are not combined. Further, thefactors are not even concatenated. Several multiple factorauthentication techniques exist, including one time password tokentechniques, encrypted storage techniques, smart card techniques, andsplit key techniques.

In one time password token techniques, two passwords are utilized, onebeing a permanent password associated with the user, and the other beinga temporary, one-time use, password generated by a password generator.The permanent password may be optional. The temporary password has afinite usable life, such as sixty seconds. At the end of the useablelife, another temporary password is generated. An authentication serverknows each usable password as well as its useable life, based uponalgorithms well known to one of ordinary skill in the art. A usertransmits both the permanent password (first factor) and a temporarypassword (second factor) to the authentication server which thenverifies both passwords. The passwords are transmitted in the clear,thus token techniques are subject to man-in-the-middle attacks.

Encrypted storage techniques utilize a cryptographic key, to bediscussed further below, stored on either removable media or a harddrive. The cryptographic key is encrypted with a user's password. Afterdecryption with the user's password, the key is then stored, at leasttemporarily, in memory of the user's computer system where it is used toeither encrypt or decrypt information. As will be recognized by one ofordinary skill, this particular approach is undesirable due to it beingsusceptible to a dictionary attack, to be discussed in detail furtherbelow.

In smart card techniques, a private portion of an asymmetriccryptographic key, to be discussed further below, is stored on a smartcard, which is portable. A specialized reader attached to a computersystem is used to access the smart card. More particularly, the userenters a PIN (the first factor) to ‘unlock’ the smart card. Onceunlocked, the smart card encrypts or decrypts information using the keystored thereon. It should be stressed that in smart card techniques thekey never leaves the smart card, unlike in the encrypted storagetechniques discussed above. Rather, electronics within the smart carditself perform the encrypting and/or decrypting. Smart card techniquesare associated with certain problems. These problems include the factthat the technique is costly to implement, due to hardware costs.Further, a lack of readers makes use of a user's smart card difficult,and smart cards themselves are subject to loss.

Before discussing in detail the more sophisticated conventionaltechniques for authentication, which are based upon split keytechnology, let us briefly describe symmetric and asymmetric keycryptography.

In symmetric key cryptography, the two parties who want to communicatein private share a common secret key, say K. The sender encryptsmessages with K, to generate a cipher, i.e. C=Encrypt(M,K). The receiverdecrypts the cipher to retrieve the message, i.e. D=Decrypt(C,K). Anattacker who does not know K, and sees C, cannot successfully decryptthe message, if the underlying algorithms are strong. Examples of suchsystems are DES3 and RC4. Encryption and decryption with symmetric keysprovide a confidentiality, or privacy service.

Symmetric keys can also be used to provide integrity and authenticationof messages in a network. Integrity and authentication means that thereceiver knows who sent a message and that the message has not beenmodified so it is received as it was sent. Integrity and authenticationis achieved by attaching a Message Authentication Code (MAC) to amessage M. E.g., the sender computes S=MAC(M,K) and attaches S to themessage M. When the message M reaches the destination, the receiver alsocomputes S′=MAC(M,K) and compares S′ with the transmitted value S. IfS′=S the verification is successful, otherwise verification fails andthe message should be rejected. Early MACs were based on symmetricencryption algorithms such as DES whereas more recently MACs areconstructed from message digest functions, or “hash” functions, such asMD5 and SHA-1. The current Internet standard for this purpose is knownas hash-based MAC (HMAC).

By combining confidentiality with integrity and authentication, it ispossible to achieve both services with symmetric key cryptography. It isgenerally accepted that different keys should be used for these twoservices and different keys should be used in different directionsbetween the same two entities for the same service. Thus if Aliceencrypts messages to Bob with a shared key K, Bob should use a differentshared key K′ to encrypt messages from Bob to Alice. Likewise Aliceshould use yet another key K″ for MACs from Alice to Bob and Bob shoulduse K′″ for MACs from Bob to Alice. Since this is well understood bythose skilled in the art, we will follow the usual custom of talkingabout a single shared symmetric key between Alice and Bob, with theunderstanding that strong security requires the use of four differentkeys.

Symmetric key systems have always suffered from a major problem—namelyhow to perform key distribution. How do Bob and Alice agree on K?Asymmetric key cryptography was invented to solve this problem. Hereevery user is associated with two keys, which are related by specialmathematical properties. These properties result in the followingfunctionality: a message encrypted with one of the two keys can thenonly be decrypted with the other.

One of these keys for each user is made public and the other is keptprivate. Let us denote the former by E, and the latter by D. So Aliceknows D_(alice), and everyone knows E_(alice). To send Alice thesymmetric key K, Bob simply sends C=Encrypt(K,E_(alice)). Alice, andonly Alice (since no one else knows D_(alice)), can decrypt theciphertext C to recover the message, i.e. Decrypt(C,D_(alice))=K. Nowboth Alice and Bob know K and can use it for encrypting subsequentmessages using a symmetric key system. Why not simply encrypt themessage itself with the asymmetric system? This is simply because inpractice all known asymmetric systems are fairly inefficient, and whilethey are perfectly useful for encrypting short strings such as K, theyare inefficient for large messages.

The above illustrates how asymmetric cryptography can solve the keydistribution problem. Asymmetric cryptography can also be used to solveanother important problem, that of digital signatures. To sign a messageM, Alice encrypts it with her own private key to createS=Encrypt(M,D_(alice)). She can then send (M,S) to the recipient who canthen decrypt S with Alice's public key to generate M′, i.e.M′=Decrypt(S,E_(alice)). If M′=M then the recipient has a validsignature as only someone who has D_(alice), by definition only Alice,can generate S, which can be decrypted with E_(alice) to produce M. Toconvey the meaning of these cryptographic operations more clearly theyare often written as S=Sign(M,D_(alice)) and M′=Verify(M,S,E_(alice)).It is worth noting that asymmetric key digital signatures providenon-repudiation in addition to the integrity and authentication achievedby symmetric key MACs. With MACs the verifier can compute the MAC forany message M of his choice since the computation is based on a sharedsecret key. With digital signatures this is not possible since only thesender has knowledge of the sender's private key required to compute thesignature. The verifier can only verify the signature but not generateit. It will be recognized by those with ordinary skill in this art thatthere are numerous variations and elaborations of these basiccryptographic operations of symmetric key encryption, symmetric key MAC,asymmetric key encryption and asymmetric key signatures.

The RSA cryptosystem is one system that implements asymmetriccryptography as described above. In particular the RSA cryptosystemallows the same public-private key pair to be used for encryption andfor digital signatures. It should be noted there are other asymmetriccryptosystems which implement encryption only e.g., ElGamal or digitalsignature only, e.g., DSA. Technically the public key in RSA is a pairof numbers E, N and the private key is the pair of numbers D, N. When Nis not relevant to the discussion it is commonplace to refer to thepublic key as E and the private key as D.

Finally, the above description does not answer the important question ofhow Bob gets Alice's public key E_(alice). The process for getting andstoring the binding [Alice, E_(alice)] which binds E_(alice) to Alice istricky. The most practical method appears to be to have the bindingsigned by a common trusted authority. So such a “certificate authority”(CA) can create CERT_(alice)=Sign([Alice, E_(alice)], Dca). NowCERTalice can be verified by anyone who knows the CA's public key Eca.So in essence, instead of everyone having to know everyone else's publickey, everyone only need know a single public key, that of the CA. Moreelaborate schemes with multiple Certificate Authorities, sometimeshaving a hierarchical relationship, have also been proposed.

Asymmetric key cryptosystems have been around for a long time, but havefound limited use. The primary reasons are twofold: (a) the private keyD in most systems is long, which means that users cannot remember them,and they have to either be stored on every computer they use, or carriedaround on smart cards or other media; and (b) the infrastructure forensuring a certificate is valid, which is critical, is cumbersome tobuild, operate, and use. The first technique proposed to validatecertificates was to send every recipient a list of all certificates thathad been revoked. This clearly does not scale well to an environmentwith millions of users. The second method proposed was to require thatone inquire about the validity of a certificate on-line, which has itsown associated problems.

A system based on split private key cryptography has been developed tosolve these two issues, among others. In this system the private key forAlice, i.e. D_(alice), is further split into two parts, D_(aa) whichAlice knows, and a part D_(as) which is stored at a security server. Tosign a message, Alice could perform a partial encryption to generate apartial signature, i.e. PS=Sign(M,Das). Alice then sends the server PSwhich ‘completes’ the signature by performing S=Sign(PS,Dss). Thiscompleted signature S is indistinguishable from one generated by theoriginal private key, so the rest of the process works as previouslydescribed. However, D_(aa) can be made short, which allows the user toremember it as a password, so this system is consumer friendly. Further,if the server is informed that a particular ID has been revoked, then itwill cease to perform its part of the operation for that user, andconsequently no further signatures can ever be performed. This providesfor instant revocation in a simple highly effective fashion. It will berecognized by those with ordinary skill in the art that use of a splitprivate key for decryption purposes can be similarly accomplished, andthat the partial signatures (or decryptions) may be generated in theopposite sequence, that is first on the security server and subsequentlyby the user's computer, or even be computed concurrently in both placesand then combined.

Let us return now to password based systems. Challenge-response systemssolve the issue of having to send passwords in the clear across anetwork. If the computer and Alice share a secret password, P, then thecomputer can send her a new random challenge, R, at the time of login.Alice computes C=Encrypt(R,P) and sends back C. The computer decryptsDecrypt(C,P)=C′. If C=C′, then the computer can trust that it is Aliceat the other end. Note however that the computer had to store P. A moreelegant solution can be created using asymmetric cryptography. Now Alicehas a private key D_(alice), or in a split private key system she hasD_(aa). The computer challenges her to sign a new random challenge R.She signs the challenge, or in the split private key system sheinteracts with the security server to create the signature, and sends itback to the computer which uses her public key, retrieved from acertificate, to verify the signature. Observe that the computer does nothave to know her private key, and that an eavesdropper observing thesignature on R gains no knowledge of her private key.

The SSL system, which is widely used on the Internet, in effectimplements a more elaborate method of exactly this protocol. SSL has twocomponents, ‘server side SSL’ in which a server proves its identity bycorrectly decrypting a particular message during connection set-up. Asbrowsers such as Netscape and Microsoft Internet Explorer come loadedwith the public keys of various CAs, the browser can verify thecertificate of the server and use the public key therein for encryptionThis authenticates the server to the client, and also allows for theset-up of a session key K, which is used to encrypt and MAC all furthercommunications. Server side SSL is widely used, as the complexity ofmanaging certificates rests with system administrators of web sites whohave the technical knowledge to perform this function. The conversefunction in SSL, client side SSL, which lets a client authenticateherself to a server by means of a digital signature is rarely used,because although the technical mechanism is much the same, it nowrequires users to manage certificates and long private keys which hasproven to be difficult, unless they use the split private key system. Soin practice, most Internet web sites use server side SSL to authenticatethemselves to the client, and to obtain a secure channel, and from thenon use Userid, Password pairs to authenticate the client.

So far from disappearing, the use of passwords has increaseddramatically. Passwords themselves are often dubbed as inherently “weak”which is inaccurate, because if they are used carefully passwords canactually achieve “strong” security. As discussed earlier passwordsshould not be sent over networks, and if possible should not be storedon the receiving computer. Instead, in a “strong” system, the user canbe asked to prove knowledge of the password without actually revealingthe password. And perhaps most critically passwords should not bevulnerable to dictionary attacks.

Introduced above, dictionary attacks can be classified into three types.In all three types the starting point is a ‘dictionary’ of likelypasswords. Unless the system incorporates checks to prevent it, userstend to pick poor passwords, and compilations of lists of widely usedpoor passwords are widely available.

On line dictionary attack: Here the attacker types in a guess at thepassword from the dictionary. If the attacker is granted access to thecomputer they know the guess was correct. These attacks are normallyprevented by locking the user account if there are an excessive numberof wrong tries. Note that this very commonly used defense prevented oneproblem, but just created another one. An attacker can systematically gothrough and lock out the accounts of hundreds or thousands users.Although the attacker did not gain access, now legitimate users cannotaccess their own accounts either, creating a denial of service problem.

Encrypt dictionary attacks: If somewhere in the operation of the systema ciphertext C=Encrypt(M,P) was created, and the attacker has access toboth C and M, then the attacker can compute off-line C1=Encrypt(M,G1),C2=Encrypt(M,G2), . . . where G1, G2, . . . etc. are the guesses at thepassword P from the dictionary. The attacker stops when he finds a Cn=C,and knows that Gn=P. Observe that the UNIX file system, which uses a oneway function F( ) instead of an encryption function E( ), is vulnerableto this attack.

Decrypt dictionary attacks: Here the attacker, does not know M, and onlysees the ciphertext C (where C=Encrypt(M,P)). The system is onlyvulnerable to this attack if it is true that M has some predictablestructure. So the attacker tries M1=Decrypt(C,G1), M2=Decrypt(C,G2) . .. , and stops when the Mi has the structure he is looking for. Forinstance Mi could be known to be a timestamp, English text, or a numberwith special properties such as a prime, or a composite number with nosmall factors. Those with ordinary skill in the art will recognize thereare numerous variations of the encrypt and decrypt dictionary attacks.

In split private key systems the user portion of the private key,referred to as D_(aa) above, may come from the user's password only.Thus, a compromise of the password, i.e, another person learning auser's password, results in a compromise of the split private keysystem. Also, there still remains the possibility of a dictionary attackon the server portion of the private key, referred to as D_(as) above,because the user portion of the private key comes from the user'spassword only. Thereby knowledge of D_(as) enables a dictionary attackon Daa. Further, and as discussed above, existing multiple factorsystems that overcome these problems rely upon expensive hardware.Because of this and other reasons, such systems have failed to gainsupport. Thus, there remains a need for a multifactor cryptographicsystem which overcomes the problems of the prior art.

OBJECTIVES OF THE INVENTION

It is an object of the present invention to provide a cryptosystem whichovercomes the deficiencies of existing cryptosystems. Additionalobjects, advantages, novel features of the present invention will becomeapparent to those skilled in the art from this disclosure, including thefollowing detailed description, as well as by practice of the invention.While the invention is described below with reference to preferredembodiment(s), it should be understood that the invention is not limitedthereto. Those of ordinary skill in the art having access to theteachings herein will recognize additional implementations,modifications, and embodiments, as well as other fields of use, whichare within the scope of the invention as disclosed and claimed hereinand with respect to which the invention could be of significant utility.

SUMMARY DISCLOSURE OF THE INVENTION

In accordance with the present invention, a method and a system forsecuring an asymmetric crypto-key are provided. The asymmetriccrypto-key includes a public key, and a split private key. The splitprivate key includes at least a first private portion and a secondprivate portion. As desired, the asymmetric crypto-key may include evenmore private portions. Each of the private portions are applied to anoriginal message separately or in sequence and the partial resultscombined to form a transformed message, and the public portion isapplied to the transformed message to verify authenticity of the messagepreferably by recovering the original message, which authenticates theuser. Conversely a message encrypted with the public portion isdecrypted by applying each of the private portions to the encryptedmessage separately or in sequence and the partial results combined todecrypt. The use of asymmetric crypto-keys and split private keys iswell understood by those skilled in the art.

The system includes at least a first data repository and a second datarepository. In some aspects the system also includes a processor. Eitherof the first data repository or the second data repository can be anytype of data repository capable of storing data, including, but notlimited to, a hard disk, a floppy disk, flash drive, an optical drive, atape drive. A processor could be any type of processor capable ofcommunicating with one or more memories and functioning to implement themethod, including, but not limited to, a processor as found in a typicalpersonal computer, main-frame computer, server-type computer, or anyother type computing device.

A first one of multiple factors upon which generation of a first privateportion of the asymmetric crypto-key is based is stored. Thus, the firstprivate portion is generated using multiple pieces of information, knownas factors. Each of the multiple factors upon which the first portion isbased is under the control of the user. That is, the user has possessionof, or free access to, each of the multiple factors.

A factor could be as simple as a readily available number string, suchas a serial number of a user's computer, or could be a sophisticatedalgorithm, such as a cryptographic key. Also, if the multiple factorsare simple number strings, generation of the first private portion couldbe a simple concatenation of the multiple factors. However, preferably,generation of the first portion includes cryptographically combining themultiple factors, and each of the multiple factors is, or is used toproduce, a cryptographic key. Thus, in the preferred embodiment,cryptographic keys are used to produce a crypto-graphic key.

The first portion is not stored in a persistent state. That is, thefirst portion must be generated whenever its use is desired. In oneembodiment, the first portion is destroyed after its use. However, inother embodiments, the first portion is stored for a limited time afterits generation, making it available for use multiple times before it isdestroyed. The limited time could be a predetermined time period, orcould be a predetermined number of uses of the first portion.

A second private portion of the asymmetric crypto-key is also stored.The second private portion is under control of an entity other than theuser. The first and second portions of the asymmetric crypto-key arecombinable to form a complete private key. This private key is thenusable to transform messages, as desired.

Thus, in accordance with the present invention, a new type of asymmetriccrypto-key, and storage thereof, is provided. A private portion of theasymmetric crypto-key is produced using multiple factors, each undercontrol of the user. This key provides more security than existingasymmetric crypto-keys in which a private portion is produced using asingle factor. As desired, the multiple factors could be two factors,three factors, or any number of multiple factors desired.

In one aspect, the first factor is stored in a first location, and asecond one of the multiple factors is stored in a second location thatis different than the first location. Thus, at least two of the factorsupon which the private portion is based are stored separately. This addsa level of security, in that a thief would have to infiltrate twolocations to steal both of these factors.

In another aspect, the first factor is stored on either a user'scomputing device, or removable media configured to communicate with theuser's computing device. Preferably the user's computing device is apersonal computer, but could be any type computing device capable offunctioning in implementing the method, including a PDA, or a mobiletelephone. Preferably, the removable media is a USB flash drive, butcould be any type of data repository capable of communicating with theuser's computing device and storing a factor.

According to another aspect of the present invention, a second one ofthe multiple factors is not stored in a persistent state. Thus, eachtime this second factor is used in generating the first private portion,it must be made available anew, preferably by the user. In a furtheraspect, the second factor is generated based upon a user's password.Thus, a user provides his or her password, and the second factor is thengenerated using the password.

In still another aspect of the present invention, the first privateportion is stored for a limited time period after it is generated.During this limited time it is usable to prove the user's identitymultiple times without the user providing any authenticationinformation. This limited time period could be a predefined time period,or could be a predefined number of authentications.

According to yet another aspect, the public key is stored under controlof an entity other than the user. Thus, the public portion is availableto at least one entity other than the user.

In an especially beneficial aspect of the present invention, a thirdprivate portion of the split private key is based upon another set ofmultiple factors. This other set of multiple factors could be the sameset of multiple factors upon which the first portion is based, or couldbe a different set. Further, the second set of factors could bepartially or completely under the control of an entity other than theuser. Or, as desired, the second set of factors could be completelyunder control of the user. In any event, this third portion is generatedbased upon multiple factors, as is the first portion.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 depicts an exemplary network of the present invention, includingnetworked devices associated with a user, a sponsor, a merchant, and anoptional distinguished server.

FIG. 2 depicts a computer suitable for use by a user to access a networkin accordance with the invention.

FIG. 3 is an exemplary block diagram of components of the computerdepicted in FIG. 2.

FIG. 4 depicts a server suitable for use by the sponsor station,optional distinguished entities, and merchants in accordance with thepresent invention.

FIG. 5 is an exemplary block diagram of components of the serverdepicted in FIG. 4.

FIGS. 6 a-6 c is a flow chart showing operations which are performed bya user a optional distinguished server and sponsor station inassociating a multifactor asymmetric key pair with the user inaccordance with certain aspects of the present invention.

FIGS. 7 a-7 b is a flow chart showing operations which are performed bya user device and merchant server for a user to authenticate himself orherself to a server in accordance with certain aspects of the presentinvention.

FIGS. 8 a-8 c is a flow chart showing operations which are performed bya user device and the sponsor station for a user to log himself orherself onto a server in accordance with certain other aspects of thepresent invention.

FIGS. 9 a-9 b is a flow chart showing operations which are performed bya user device and the sponsor station for a user to authenticate himselfor herself subsequent to logging on in accordance with certain aspectsof the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

FIG. 1 illustrates a network 10, which could be the Internet. As shown,the network 10 is an interconnection of networked devices incommunication with each other. These networked devices include networkeddevices 30-33 associated with individual network users, networkeddevices 40-41 associated with merchant network users, a sponsor station50 associated with a sponsor, and optional networked devices 60-62associated with entities known to and trusted by the sponsor.

Networked devices 30-33 will be referred to as user devices. Thesenetwork devices are typically personal computers, but could be othertype network devices. Networked devices 40-41 will be referred to asmerchant servers. It should be understood that merchant servers 40-41could be associated with any type entity having a presence on network10. Optional networked devices 60-62 will be referred to asdistinguished servers. It will be understood that a network may consistof more networked devices than depicted in FIG. 1.

FIGS. 2 and 3 depict an exemplary personal computer (PC) suitable foruse by an individual user as a user device 30-33 to access the network10. The PC is preferably a commercially available personal computer. Itwill be recognized that the PC configuration is exemplary in that othercomponents (not shown) could be added or substituted for those depicted,and certain of the depicted components could be eliminated if desired.Further, a user device 30-33 could be another type device other than a‘computer’, such as, but not limited to, a PDA or a mobile phone.

The computer functions in accordance with stored programminginstructions which drive its operation. Preferably, the computer storesits programming instructions on an EPROM, or hard disk. It will berecognized that only routine programming is required to implement theinstructions required to drive the computer to operate in accordancewith the invention, as described below. Further, since the computercomponents and configuration are conventional, routine operationsperformed by depicted components will generally not be described, suchoperations being well understood in the art.

Referring to FIG. 2, the computer 1000 includes a main unit 1010 withslots 1011, 1012, and 1013, respectively provided for loadingprogramming or data from floppy disk, compact disk (CD), or otherremovable media, onto the computer 1000. The computer 1000 also includesa keyboard 1030 and mouse 1040 which serve as user input devices. Adisplay monitor 1020 is also provided to visually communicateinformation to the user.

As depicted in FIG. 3, the computer 1000 has a main processor 1100 whichis interconnected via bus 1110 with various remote or local storagedevices which may include, but are not limited to, EPROM 1122, RAM 1123,hard drive 1124, which has an associated hard disk 1125, CD drive 1126,which has an associated CD 1127, floppy drive 1128, which has anassociated floppy disk 1129, USB port 1195 for connecting a USB drive1196 (often called a flash drive), smart card reader 1197 forcommunicating with a smart card 1198. Also shown in FIG. 3 is a trustedprocessing module (TPM) 1199 for securely storing cryptographic keys.Taken together, the remote and local storage will be referred tocollectively as 1170. A drive controller 1150 controls the hard drive1124, CD drive 1126 and floppy drive 1128. Also depicted in FIG. 3 is adisplay controller 1120 interconnected to display interface 1121, akeyboard controller 1130 interconnected to keyboard interface 1131, amouse controller 1140 interconnected to mouse interface 1141 and a modem1160 interconnected to I/O port 1165, all of which are connected to thebus 1110. The modem 1160 and interconnected I/O port 1165 are used totransmit and receive signals via the network 10 as described below. Itwill be understood that other components may be connected if desired tothe bus 1110, or that less than all the components shown in FIG. 3 Maybe connected to the bus 1110. By accessing the stored computerprogramming, the processor 1100 is driven to operate in accordance withthe present invention.

The sponsor station 50, the merchant users and the optionaldistinguished entities are preferably represented on network 10 by anInternet server of the applicable type shown in FIGS. 4 and 5, as willbe described further below. However, here again, any network compatibledevice which is capable of functioning in the described manner could besubstituted for the servers shown in FIGS. 4 and 5.

FIGS. 4 and 5 depict an exemplary network server suitable for use by thesponsor, merchants, and optional distinguished entities to access thenetwork 10 in the below-described invention. The server is preferably acommercially available high power, mini-computer or mainframe computer.Here again, it will be recognized that the server configuration isexemplary in that other components (not shown) could be added orsubstituted for those depicted and certain of the depicted componentscould be eliminated if desired.

The server functions as described below in accordance with storedprogramming instructions which drive its operation. Preferably, theserver stores its unique programming instructions on an EPROM or harddisk. It will be recognized that only routine programming is required toimplement the instructions required to drive the server to operate inaccordance with the invention, as described below. Further, since theserver components and configuration are conventional, routine operationsperformed by depicted components will generally not be described, suchoperations being well understood in the art.

Referring to FIG. 4, the server 1000′ includes a main unit 1010′ withslots 1011′, 1012′, 1013′ and 1014′, respectively provided for loadingprogramming or data from a floppy disk, CD and/or hard disk onto theserver 1000′. The server 1000′ also includes a keyboard 1030′ and mouse1040′, which serve as user input devices. A display monitor 1020′ isalso provided to visually communicate information to the user.

As depicted in FIG. 5, the server 1000′ has a main processor 1100′ whichis interconnected via bus 1110′ with various storage devices includingEPROM 1122′, RAM 1123′, hard drive 1124′, which has an associated harddisk 1125′, CD drive 1126′, which has an associated CD 1127′, and floppydrive 1128′, which has an associated floppy disk 1129′. The memories,disks and CD all serve as storage media on which computer programming ordata can be stored for access by the processor 1100′. The stored dataincludes one or more databases containing information associated withnetwork users. The memories associated with a server hereafter will becollectively referred to as memory 1170′. A drive controller 1150′controls the hard drive 1124′, CD drive 1126′ and floppy drive 1128′.Also depicted in FIG. 11B is a display controller 1120′ interconnectedto display interface 1121′, a keyboard controller 1130′ interconnectedto keyboard interface 1130′, a mouse controller 1140′ interconnected tomouse interface 1141′ and a modem 1160′ interconnected to I/O port1165′, all of which are connected to the bus 1110′. The modem 1160′ andinterconnected I/O port 1165′ are used to transmit and receive signalsvia the network 10 as described above. It will be understood that othercomponents may be connected if desired to the bus 1110′. By accessingthe stored computer programming, the processor 1100′ is driven tooperate in accordance with the present invention.

Multifactor Asymmetric Crypto-key

A multifactor asymmetric crypto-key is associated with at least eachindividual network user, and, if present, each optional distinguishedserver 60-62. If desired, a multifactor asymmetric crypto-key can alsobe associated with each merchant user. Each multifactor asymmetriccrypto-key consists of two portions, a public portion and a privateportion. The public portion is referred to as E, and the private portionis referred to as D. The public portion of each multifactor asymmetriccrypto-key is known to at least each merchant user. If desired, thepublic portion of each multifactor asymmetric crypto-key can also beknown to each individual user. Each of these public portions can bestored on each merchant server, or on each merchant server and eachindividual device, in association with a user id. Additionally, each E,or less than each E, can be stored at sponsor station 50. The privateportion of each asymmetric crypto-key consists of at least a firstprivate portion having multiple factors and a second private portion.The second private portion of each multifactor asymmetric crypto-key isretained by the sponsor station 50 and will be referred to as D₂. Thefirst private portion of each multifactor asymmetric crypto-key will bereferred to as D₁ and will be further discussed below.

The multifactor asymmetric crypto-keys are used in transforminginformation. Preferably, the multifactor asymmetric crypto-keys are usedin providing trusted authentication of an individual user to a merchantuser. Also, the multifactor asymmetric crypto-keys can be used inproviding trusted authentication of an individual user to anotherindividual user, or of a merchant user to another merchant user. Furtherthe multifactor asymmetric crypto-keys can be used to decrypt dataencrypted with the public key. More generally, some subset of themultifactor asymmetric crypto-keys can be used to sign (or likewisedecrypt) a message and the signature verified (likewise messageencrypted) by the remaining crypto-keys.

In accordance with the present invention D₁ is made up of at least two,and perhaps additional, factors. One factor which is preferably alwayspresent is a user's password. Another factor will be either a privatekey stored on a user device 30-33, or a private key stored elsewhere. Ofcourse, both, instead of one, of the other factors could be utilizedwith the user password, as will be discussed in detail below. Sometimesa private key stored on a user device 30-33 will be referred to asD_(tether) or a tether key, and a private key stored elsewhere will bereferred to as D_(USB.)

Typically, the password will not be stored in any form, as preferably apassword is short, and thus relatively easy for a user to memorize.However, as desired, a password could be stored on a user device 30-33,or even elsewhere. Introduced above, D_(tether), when present, is storedon the user's device. In the most common implementation, D_(tether) isstored securely on the hard disk 1125 using the protection capabilitiesprovided by the PC's operating system, preferably as a non-exportableprivate key in a Windows Operating System key-store. Of course, asdesired, D_(tether) could be stored in a Windows Operating Systemregistry. Alternatively, D_(tether) can be, as desired, stored on thetrusted processing module (TPM) 1199. No matter where or how on the userdevice 30-33 D_(tether) is stored, in the most basic configuration,D_(tether) can only be used from the user device 30-33 upon which it isstored. That is, D_(tether) is a non-exportable private key stored onthe user device upon which it will be used. However, as will bediscussed in detail further below, D_(tether) may be ported to otherdevices and used thereon.

Introduced above, D_(USB) is not stored on the user device. D_(USB) isstored on removable media such as, but not limited to, a USB drive(flash drive), a floppy disk, or a CD. Preferably D_(USB) is stored on aUSB flash drive. As desired D_(USB) may be encrypted. Preferably, suchan encryption is not performed with the user's password. However,D_(USB) could be, as desired, encrypted with D_(tether). In addition tothe removable media described above, D_(USB) can be, as desired, storedon a smart card, which is a more sophisticated form of removable memorywhich typically includes separate processing electronics.

Key Generation

In one preferred implementation of key generation the sponsor station 50drives the association between users and multifactor asymmetriccrypto-keys. Preferably, for a user to obtain an association with amultifactor asymmetric crypto-key, the user must have a relationshipwith an entity associated with an optional distinguished server 60-62and only those users referred to the sponsor 50 by an optionaldistinguished server 60-62 are eligible to participate in network 10.However, as desired, distinguished servers 60-62 may not be included inthe network 10. In such a case, some or all of the functions performedby an optional distinguished server 60-62, including those describedherein, could be performed by sponsor 50, and/or some or all of thefunctions performed by an optional distinguished server 60-62 might notbe performed.

For the sake of discussion below, it is assumed that one or moreoptional distinguished servers 60-62 are included in network 10. If anindividual user associated with user device 31 wishes to obtain anassociation with a multifactor asymmetric crypto-key, yet does not havea preexisting relationship with any distinguished server 60-62, thatuser may choose to contact distinguished server 60 via the network 10and provide identity information to the distinguished server 60. In thiscase, the distinguished server 60 has the capabilities to verifyidentity information. This capability may be any well known method ofverifying identify information, such as a database of creditinformation, a database of telephone account information, or a databaseof address information. If the distinguished server 60 verifies theprovided information, the distinguished server 60 can refer the user tothe sponsor station 50.

If an individual user associated with user device 33 wishes to obtain anassociation with a multifactor asymmetric crypto-key and has arelationship with the distinguished server 61, the individual user mustrequest that the distinguished server 61 initiate the process ofassociating an asymmetric crypto-key with the individual user.Operations as described below and depicted in FIGS. 6 a-6 c will beperformed.

As shown in step 601 of FIG. 6 a, a distinguished server 60-62, in thisinstance distinguished server 62, logs in with the sponsor station 50.Then, the distinguished server 62 transmits to the sponsor station 50information identifying a new user with whom a multifactor asymmetriccrypto-key will be associated, in this instance the individual userassociated with user device 33, step 605. The sponsor 50 then generatesa symmetric key pair and a user ID which will be associated with the newuser, step 610. This symmetric key pair will serve as a one timeactivation code. Preferably, the symmetric key/one time activation codeis a short pronounceable word. This symmetric key/one time activationcode and user ID is stored in the memory 1170′ and is also transmittedto the distinguished server 62, step 615. The distinguished server 62then causes the symmetric key/one time activation code and user ID to bedelivered to the new user. This delivery may be via traditional postaldelivery, via e-mail, or via other electronic delivery, such as via aweb-page, step 617. Preferably electronic or hard-copy delivery will besecured using techniques familiar to those skilled in the art.

The new user, after receiving the user ID and symmetric key/one timeactivation code, establishes a communication session with the sponsor 50via network 10, step 620. The new user enters the user ID into his orher user device and transmits the same to the sponsor station 50 via thenetwork 10, step 625. The sponsor 50 matches the received user ID withthe user ID and symmetric key stored in memory 1170′, step 630.

If the received user ID has a match stored in memory 1170′, the sponsor50 generates a challenge and encrypts the challenge with the symmetrickey/one time activation code, step 635. The sponsor 50 transmits theencrypted challenge to the user device 33, step 638. The user device 33decrypts the challenge using the new user's symmetric key/one timeactivation code, step 640. At step 645, the user device 33 transmitseither the decrypted challenge, or proof of possession thereof, tosponsor 50 to authenticate the user to the sponsor. At this point, theuser is eligible to be associated with a multifactor asymmetriccrypto-key.

In an alternative embodiment, the sponsor station 50 and an optionaldistinguished server 60-62 do not participate in key generation. Rather,key generation is between a user device 30-33 and a merchant server40-41. In such a case, as desired, conventional processing for a user toauthenticate to a server may be utilized.

The generation of the multifactor asymmetric crypto-key begins at step650 in which the user device 33 generates two asymmetric key pairs. Thefirst key pair is D_(tether) and E_(tether), along with N_(tether).E_(tether), is the corresponding public key to the private keyD_(tether), and N_(tether) is the modulus. The second key pair isD_(USB) and E_(USB), along with N_(USB). E_(USB) is the correspondingpublic key to the private key D_(USB). Introduced above, D_(tether) isstored on the user device 33, and D_(USB) is stored on removable media.At step 655 the user device 33 transmits the non-private portions of thegenerated keys, i.e., E_(tether), N_(tether), E_(USB), and N_(USB), tosponsor 50 via network 10 for storage. It should be appreciated thatthis transmission could be broken into multiple transmissions, as wellas could be encrypted with the symmetric key/one time activation code,or even another key.

At step 658 of FIG. 6 b the user device 33 generates a third asymmetrickey pair, D and E, along with N. E is the public portion of themultifactor asymmetric crypto key, with N being the modulus. Followingat step 660, the user device 33 splits D into at least a first privateportion, D₁, having multiple factors, and a second private portion D₂.The user device 33 first determines D₁, as will be described below, andthen determines D₂ utilizing conventional techniques, as will beunderstood by one of ordinary skill in the art, i.e, that D₁*D₂=D modF(N).

The processing to determine D₁ is based upon the multiple factors. Inthe preferred embodiment, the multiple factors are a user password,D_(tether), and D_(usb). However, as desired, the multiple factors couldbe any two of D_(tether), D_(USB), and the user password. In particular,the user device 33 calculates D₁ utilizing the PKCS-5 algorithm, a wellknown one way function. The preferred equation for D₁ is as follows:PKCS-5(sign{Sha-1(sign{Sha-1(password),D_(tether)}),D_(USB)},salt,iterationcount)  (1)

Thus, as shown in equation 1, D₁ is computed in a novel manner by takinga first Sha-1 hash of the password and transforming this quantity withD_(tether,), taking a second Sha-1 hash of the transformed quantity andtransforming the second Sha-1 hash with D_(USB), and then using theresult of this second transformation as an input to the PKCS-5algorithm, along with the salt and the iteration count. After thedetermination of D₁, the user device 33 determines D₂ utilizingconventional and well known techniques, completing the split of D₁.

For those cases in which it is desired to use the password and D_(USB)as the multiple factors, but not D_(tether), the following equation fordetermining D₁ can be used:PKCS-5(sign{Sha-1(password),D_(USB)},salt,iteration count)  (2)

For those cases in which it is desired to use the password andD_(tether) as the multiple factors, but not D_(USB), the followingequation for determining D₁ can be used:PKCS-5(sign{Sha-1(password),D_(tether)}, salt, iteration count)  (3)

After the user device 33 determines D₁, operations continue with step665 in which the user device 33 destroys D₁ and transmits D₂, E and N tothe entity with which the user is establishing a multifactor asymmetriccrypto-key, which could be the sponsor station 50 or a merchant server40-41, for storage in memory 1170′. Thereafter the user device 33destroys D2. Preferably, at least the transmitted D₂ is encrypted withthe symmetric key/one time activation code, or even another key. Ofcourse, as desired, either or both of E and N could also be encrypted.

Alternatively, as desired, the key association entity, i.e., forexample, sponsor 50, or merchant server 40-41, could generate one ormore of the first, second, or third key pairs, including the splittingof D₁. If an entity other than a user device 33 generates either thefirst or the second key pair, that generating entity will transmit thegenerated private portion, i.e., D_(tether) and/or D_(USB), to the userdevice 33 and destroy the copy at the other entity 50 so that only theuser, through the user device 33 or removable media, has access to aprivate portion of either of these key pairs. If another entitygenerates the third key pair and performs the splitting, that generatingentity does not provide any associated information to the user. However,preferably the user will provide the password to the generating entityfor use with the PKCS-5 algorithm. Also, the non-user device havinggenerated D₁ and D₂ destroys D₁ and the password and stores D₂ in memory1170′.

Login Protocol—One to One

In providing trusted authentication of an individual user, in thisinstance, the individual user associated with user device 30, to anentity which the user directly obtained a multifactor asymmetriccrypto-key, in this instance, the merchant user associated with merchantserver 40, the following operations, as shown in FIGS. 7 a and 7 b, areperformed by networked devices 30 and 40. For simplicity of thedescription, it is assumed here that the merchant server 40 alsofunctioned as the sponsor server 50 in the previously described keygeneration protocol, although more generally they can be differentnetwork devices. This authentication is known as the LOGIN ONE TO ONEprotocol.

A communication session between user device 30 and merchant server vianetwork 10 is established, step 701 of FIG. 7. Merchant server 40transmits a request via network 10 to user device 30 requesting that theindividual user authenticate himself or herself to the merchant user,step 710. At step 715 the user transmits his or her user ID to themerchant server 40 via network 10 in the clear. It should be understoodthat, as desired, communications between the user device 30 and themerchant server could be protected using server side SSL encryption.However, for the sake of simplicity, it will be assumed that, in thepresent example, server side SSL is not used.

Next, at step 720 the merchant server 40 generates a challenge, whichconsists of a random number and a time stamp, and transmits the same tothe user device 30 via the network 10, also in the clear. In response tothe challenge, the user device 30, at step 725, generates a permissionrequest (PR) which consists of the challenge, a time stamp, and a randomnumber R1. In order to authenticate the user to the merchant server 40,the user will demonstrate knowledge of D₁, D_(tether), and D_(USB).However, the user device 30 will not provide the password to themerchant server 40. At step 726, the user device 30 generates D₁, usingthe PKCS-5 algorithm resident on the user device 30, as described above.In other words, the user enters his or her password and makes theremovable media upon which D_(USB) is stored available to user device30. As will be understood from the above, D_(tether) is already storedon the user device 30. It should be understood that steps 725 and 726could be concurrently performed, or could be performed in some otherorder than that depicted in the Figures and as described herein.

At step 730 the user device 30 creates a signed permission request (SPR)using D₁, D_(tether), and D_(USB). The signed permission request has thefollowing form:SPR=(PR,sign(Sha-1(PR),D_(tether),sign(Sha-1(PR),D_(USB))^(D1)  (4)Thus, PR is combined with both a Sha-1 hash of PR signed with D_(tether)and a Sha-1 hash of PR signed with D_(USB). This combination is thenencrypted with D₁. At step 735 the user device 30 transmits SPR to themerchant server 40 via network 10.

Upon receipt of SPR, the merchant server 40 uses D₂, N and E, stored inmemory 1170′, to recover PR, sign (Sha-1 (PR), D_(tether)), and sign(Sha-1 (PR), D_(USB)) by removing D₁. step 740. Verifying that thechallenge included in PR is correct, after decrypting with D₂, verifiesknowledge of D₁. At step 745 the merchant server 40 uses E_(tether) andN_(tether) to directly verify knowledge of D_(tether). That is, themerchant server 40 recovers PR from sign (Sha-1 (PR), D_(tether)). And,at step 750 the merchant server 40 uses E_(USB) and N_(USB) to directlyverify knowledge of D_(USB). That is, the merchant server 40 recovers PRfrom sign (Sha-1 (PR), D_(USB)). The successful completion of steps 740through step 750 implicitly verifies knowledge of the password andassociated multiple factors used to correctly construct D₁, as well asadditional direct verification of these multiple factors, thus providingsuccessful authentication. One or more of these direct additionalverifications may be omitted as desired.

Following step 750, assuming successful authentication, the merchantserver 50 and the user device 30 work together to create a symmetriccrypto-key used to encrypt and MAC communications between the two.Creation and use of such a symmetric crypto-key is well known in the artand will be understood by one of ordinary skill.

Login Protocol—Single Sign on

Single sign on capabilities are easily provided within the context of amultiple factor asymmetric crypto-key. That is, a user enters his or herpassword once to access one website and is not asked for the same whenaccessing another website, or different portion of the one website. Toprovide single sign on, in one embodiment after generation during login,D₁, is stored encrypted on the user device 30, with the key fordecryption stored on the sponsor server 50. D₁ could be stored on thehard disk in a location such as the Windows registry where it can beaccessed by multiple programs. However, this makes the encrypted keyvulnerable to theft, so another alternative is to store the encryptedkey in a shared area of RAM. D₁, when stored in RAM, can also beencrypted with a non-exportable one time use RSA key pair that has alifetime of that particular encrypted copy of D₁, or encrypted with asmartcard key. Yet another possibility is to store D₁ in the TPM 1199,either directly in the TPM or external to the TPM encrypted with one ofthe private keys of the TPM 1199.

In another single sign on embodiment, the sponsor station 50participates in the login protocol. With reference to FIG. 8, acommunication session between user device 30 and merchant server vianetwork 10 is established, step 801. Merchant server 40 transmits arequest via network 10 to user device 30 requesting that the individualuser authenticate himself or herself to the merchant user, step 810.

In response to this request, the user device 30 determines if alogged-in ticket is stored on memory 1170 at the user device 30, step815. For purposes of the present discussion it will be assumed that alogged-in ticket is not stored. The user device 30 requests theindividual user to enter his or her user id and password into the userdevice 30, step 820.

User device 30 processes the entered password along with D_(tether) andD_(USB) to obtain D₁, step 825. User device 30 then transmits a log-inrequest to sponsor station 50 via network 10, step 830. The log-inrequest includes at least the user's user ID. It should be understoodthat step 825 can occur previous to step 830, concurrent with step 830,or subsequent to step 830, though it is shown previous to step 830 inFIG. 8.

Sponsor station 50 receives and processes the log-in request to generatea challenge to the user device 30, step 835. The generated challenge istransmitted to the user device 30 via network 10, step 840. The log-inrequest and challenge are preferably each transmitted in the clear. Thatis, neither of these messages are protected. However, as will beunderstood, server side SSL encryption could be, as desired, used toprotect these communications.

The user device 30 receives the challenge and generates SPR, as will beunderstood from the discussion above and FIG. 7, forming a firstencrypted message, step 841. User device 30 transmits the first messageto sponsor station 50, step 850. Sponsor station 50 decrypts the firstencrypted message, as also will be understood from the above, to recoverPR, which includes the challenge, time stamp and R1, step 855. Thisoperation authenticates the user device 30 to the sponsor station 50.

Upon successful authentication, the sponsor station 50 generates asecond random number R2, computes the function XOR of R1 and R2,generates a time stamp, and determine a lifetime-value, step 860. Thelifetime-value is the life span of the logged-in ticket. This value maybe a finite time period, such as 1 hour or any other finite time periodso desired, or this value may be an end time such that the logged-inticket expires upon that time being reached. Next, the sponsor station50 encrypts R2, the time stamp, and the lifetime-value with R1, forminga second encrypted message, step 865. The sponsor station 50 transmitsthis second encrypted message to the user device 30 via network 10, step870.

The user device 30 decrypts the second encrypted message using R1,recovering R2, the time stamp, and the lifetime-value, step 875. Thisoperation authenticates the sponsor station 50 to the user device 30.The user device 30 computes function XOR of R1 and R2 which is calledR12, encrypts D1 with R1, and then destroys R1 and the unencrypted D₁,step 880. The user device 30 then stores the encrypted D1, user ID, timestamp, and the lifetime-value on memory 1170, or elsewhere on the userdevice 30, forming the logged-in ticket, step 885. The user device 30then transmits a message to the sponsor station 50 which includes a‘done’ indication and a time stamp which are encrypted using R12, step890. The sponsor station 50 stores an indication in memory 1170′ thatthe user is logged in. The user has now successfully logged in. If theuser has an unexpired logged-in ticket, the user need not provide theuser's client ID or password again to provide authentication to anothernetwork station requesting authentication.

Once the user is successfully logged in, to complete the authenticationof user to the merchant, the user device 30 transmits an authorizationrequest to the sponsor station 50, step 910 of FIG. 9 a. Theauthorization request includes the user's user ID which is stored aspart of the logged-in ticket on memory 1170. The user device 30retrieves the user ID from memory 1170, the user device 30 does notprompt the user to enter the user ID. This transmission is sent using aMessage Authentication Code (MAC) using R12. As will be understood byone skilled in the art, a MACed message is not encrypted, rather itincludes a number string appended to the message which authenticates thesender of the message to the receiver of the message and assuresintegrity of the message content. The user device 30 MACs theauthorization request with R12. The sponsor station 50 processes thereceived message to authenticate the user based upon the MACed message,step 515. Then, the sponsor station 50 generates and transmits anacknowledgement message to the user device 30. This is also MACed withR12, step 916.

The user device 30 authenticates the received acknowledgment and encodesa 36 byte hash, provided by the merchant server 40, step 920, preferablybeing the running hash of a client-side SSL handshake sequence.Preferably, the 36 byte hash is encoded using the PKCS1 algorithm,though other well known algorithms could be used. Next, the user device30 encrypts the 36 byte hash and a time stamp with R12 and transmitsboth to the sponsor station 50, step 925.

The sponsor station 50 decrypts encoded 36 byte hash and time stampusing R12, step 930. Next, the sponsor station 50 signs the encoded 36byte hash with D₂, the second private portion of the multifactorasymmetric crypto-key, step 935. The sponsor station 50 generates afresh time stamp, recalls R1 from memory 1170′, and transmits the timestamp, the signed encoded 36 byte hash, and R1 to the user device 30,all encrypted with R12, step 940.

The user device 30 decrypts the time stamp, the signed encoded 36 bytehash, and R1 using R12, step 945. Then, the user device 30 recallsencrypted D₁ from the memory 1170 and decrypts D₁ using R1 obtained fromthe sponsor station 50, step 950. The user device 30 then uses D₁ tocomplete the signature of the encoded 36 byte hash and transmits thefully signed 36 byte hash to the merchant server 40, step 955. Tocomplete the transaction, the user device 30 transmits a ‘done’ messageto the sponsor station 50, step 960.

Alternately the encoded 36 byte hash could be first signed on the userdevice 30 using D₁ decrypted via R12 and the signature completed on thesponsor station 50 using D₂.

Roaming

Introduced above, D_(tether) may be moved to additional user devices30-33 besides the one upon which it was created. This movement ofD_(tether) is known as roaming. In the preferred embodiment, roaming isprovided via an extension to the key generation protocol. This extensionwill be discussed in the context of user device 32 communicating withthe sponsor station 50 to associate a multifactor asymmetric crypto-keywith a user. However, it should be understood that the same extensionapplies when communications are between a user device 30-33 and amerchant server to establish such an association.

During key generation the sponsor station 50 preferably transmits one ormore secret questions to the user device 32 in the clear via network 10,after the user device 32 has generated, or received, D_(tether). Thesecret question(s) will be referred to herein as part A. Alternatively,the sponsor station 50 could transmit a trigger to cause secretquestion(s) already stored on the user device 32 to be presented to theuser. It should be appreciated that the secret question(s) asked aparticular user could be varied by the sponsor station 50 based upon anydesired factor. Further, it should be understood that the number ofsecret questions asked a particular user could likewise be varied basedupon any desired factor.

The user enters answers to the secret question(s) on the user device 32.The answer(s) will be referred to herein as part B. The user device 32then uses parts A and B as inputs to the PKCS-5 algorithm, discussedabove. After the entering of part B, the user device 32 performs thePKCS-5 algorithm twice, with the only difference between the twoperformances being the value of the iteration count. The first iterationcount is preferably 99, and the second iteration count is preferably100. However, it will be appreciated that any two different iterationcounts could be used where the second is larger than the first. Basedupon the output of the PKSC-5 algorithm, two symmetric keys areproduced, preferably in accord with the well known DES3 standard. Thesekeys will be referred to as DES3-99, and DES3-100. In the PKCS-5algorithm, part B is used as the password, and part A is used as thesalt. Alternatively, for example if part A is not transmitted to theuser device 32, but instead is stored thereon, the user's id could beused as the salt.

After generation of DES3-99 and DES3-100, the user device 32 encryptsD_(tether) with the first of the two DES3 keys, in this example,DES3-99. The encrypted D_(tether) along with the second of the two keys,in this example DES3-100, is transmitted from the user device 32 to thesponsor station 50 via network 10. The sponsor station 50 then storesthe received encrypted D_(tether) and DES3-100 in memory 1070‘inassociation with that user’s user ID.

Whenever this user desires to move D_(tether) onto a different userdevice 30-33 the user accesses the sponsor station 50 from thatdifferent user device 30-33 and the sponsor station 50 transmits part Ato the different user device 30-33, in the clear or encrypted withserver side SSL. The user enters the same answers previously entered andonce again DES3-100 and DES3-99 are computed, this time by the differentuser device 30-33, based upon part B. DES3-100 is now available to beused as a shared symmetric key, as both the user and the sponsor station50 have a copy thereof. Proof of possession of DES3-100 by the differentuser device 30-33 is made to the sponsor station 50, i.e., the user isauthenticated using any authentication technique desired.

After authentication, the sponsor station 50 transmits the storedencrypted copy of D_(tether) to the different user device 30-33 vianetwork 10. This transmission is encrypted with DES3-100. The differentuser device 30-33 is then able to decrypt D_(tether) using the copy ofDES3-99 it generated. Thereafter, the different user device 30-33 storesD_(tether), which, as discussed above, could be in any of several placeson or associated with this user device 30-33. Those with ordinary skillin the art will understand that successful communication using DES3-100establishes correct knowledge of Part B by the user and that storage ofDES3-100 on the sponsor station does not enable decryption ofD_(tether).

As desired, the ability of a user to roam may be limited. For example,the number of user devices 30-33 onto which D_(tether) can be moved canbe limited. Also, the actual machines onto which D_(tether) can be movedcan be limited. Other variations include only performing theabove-described extension to key generation when a user desired to roam,not during the actual key generation processing. In this way, theencrypted copy of D_(tether) stored could be destroyed after a certainperiod of time, forcing a user to actually move D_(tether) down onto adifferent user device 30-33 within a predetermined period of time afterperformance of the extension of the key generation protocol.

In an alternative approach to roaming, a user is associated withmultiple, different, D_(tethers). This results in a modified loginprotocol from that discussed above. In the modified login protocol, D₁is no longer based upon a password, D_(tether), and D_(USB). Rather, D₁is based only upon D_(USB) and the password. However, SPR is stilldetermined as described above, i.e., based upon D_(USB), and any one ofthe multiple D_(tethers). Each of the multiple D_(tethers) is, as willbe understood, associated with a unique E_(tether). Each D_(tether) isassociated with a single, particular user device 30-33. Each of theE_(tethers) is stored in association with the user id at the entity withwhich the key association was made. Also stored is an indication of thesingle, particular user device 30-33 with which a particular E_(tether)is associated. During Login, information identifying a particular userdevice 30-33 from which login is being performed is transmitted to theparticular device being accessed, i.e., sponsor station 50 or a merchantserver 40-41, so that the correct D_(tether) is utilized in decryptingSPR. In this manner, each user is associated with a single certificatebecause each user is associated with a single D₁.

Kiosk Mode

Roaming, discussed above, is but one technique provided by the presentinvention which enables a user to securely transmit information vianetwork 10. Introduced above, D is split into D₁ and D₂. However, anyparticular D can be split more than one way. The kiosk mode leveragesthis fact to provide a user multiple levels of network access. In thekiosk mode, D is split two different ways, resulting in not only D₁ andD₂, discussed above, but also D₃ and D₄. More particularly, D₃ is basedupon the password only, and D₄ is the complement to D3, as will beunderstood by one of ordinary skill in the art. So, as commonlyunderstood, E*D=1 mod F (N). The D is split twice, with one split beingD₁*D₂=D mod F (N), and the other split being D₃*D₄=1 mod F (N). Thesecond split, based upon the password only, can be called the zerofootprint split.

As desired, D₃ could be generated from information other than, or inaddition to, the password. For example, D₃ could be generated from thepassword and D_(USB), or any other information different than thatutilized to generate D₁. However, it is most desirable that D₃ be basedupon the user's password only, as the user will most typically beoperating under kiosk mode will at a user device 30-33 other than theuser device 30-33 upon which D_(tether) is stored.

Preferably, when a user is not at the user device 30-33 upon which hisor her D_(tether) is stored, the user transmits his or her user id andpassword to a merchant server 40-41. As desired, this could be via aspecial kiosk mode user presentation. Typically, this transmission willbe protected by server side SSL. The receiving merchant server then willauthenticate the user based only upon the received user id and passwordby converting the received password into D3 and demonstrating knowledgeof D3 to a sponsor station 50 which verifies this knowledge by means ofD4 stored in memory 1170′.

Authentication via kiosk mode will preferably result in a differentlevel of access, i.e., information that requires a higher level ofsecurity will not be available via the kiosk mode. In kiosk mode, alowest level of security is provided, based upon the password only.Thus, kiosk mode can be referred to as a single factor mode. In a twofactor mode, a higher level of security is provided based upon thepassword and either of D_(tether) or D_(USB). And, in a three factormode, a highest level of security is provided, based upon the password,D_(tether), and D_(USB). A particular server may be a legacy server thatonly uses passwords, not additional factors. Or, a particular server mayonly host non-sensitive information, and thus a higher level of securityis not needed. In both cases, such a server might employ only singlefactor or double factor security.

Further, a same server can now offer multiple levels of securityutilizing the present invention. Thus, for example, a user can log onunder kiosk mode based upon only his or her password/user idcombination, or that same user can log on, to the same server, basedupon his or her password/user id, as well as one or both of his or herD_(tether) and/or D_(USB). It should also be noted that, as desired, themultiple levels of access could be from the same user device 30-33.

Still further, different users could be, as desired, associated with oneor more different levels of access. Thus, for example, a first usercould be allowed to only log on under three factor security, a seconduser could be allowed to log on under either one or three factorsecurity, and a third user could be allowed to log on under only singlefactor security. It will be appreciated that other combinations ofaccess, based upon a user's identity, a server, or other networkappliance, being accessed, the type of information being accessed,and/or the particular user device 30-33, or type of user device 30-33,being used by a user may be had. This has the powerful business benefitthat a single security system can issue credentials of differentstrengths to different users, allowing strength to be appropriatelymatched to need.

Somewhat different than kiosk mode, though also resulting in a lowerlevel of security, a second and/or third factor does not have to be acryptographic key, or even a random number. A factor could be a propertyof the user device 30-33, such as a hard drive serial number, availableto the user device 30-33 for use in encrypting information. So, if ahigh level of strength is not desired, a second and/or third factormight not be a crypto-graphic key. Further, as desired, when multiplefactors are utilized, the multiple factors could be merely concatenatedinstead of algorithmically combined, as described above. However, itwill be recognized by one of ordinary skill in the art that a simpleconcatenation will not produce a high level of security.

It will also be recognized by those skilled in the art that, while theinvention has been described above in terms of one or more preferredembodiments, it is not limited thereto. Various features and aspects ofthe above described invention may be used individually or jointly.Further, although the invention has been described in the context of itsimplementation in a particular environment and for particular purposes,e.g. in providing security for Internet communications, those skilled inthe art will recognize that its usefulness is not limited thereto andthat the present invention can be beneficially utilized in any number ofenvironments and implementations. Accordingly, the claims set forthbelow should be construed in view of the full breath and spirit of theinvention as disclosed herein.

1. A method for securing an asymmetric crypto-key having a public keyand a split private key with multiple private portions, comprising:storing a first one of multiple factors, all of which are under thecontrol of a user, required to generate a first private portion of thesplit private key, the first private portion not stored in a persistentstate; and storing a second private portion of the split private keyunder control of an entity other than the user; wherein the firstprivate portion and the second private portion are combinable to form acomplete private portion.
 2. The method of claim 1, wherein the firstfactor is stored at a first location, and further comprising: storing,at a second location different than the first location, a second one ofthe multiple factors.
 3. The method of claim 1, wherein: the firstfactor is stored on one of i) a computing device associated with theuser, and ii) removable media configured to communicate with the usercomputing device.
 4. The method of claim 1, wherein a second one of themultiple factors is not stored in a persistent state.
 5. The method ofclaim 4, wherein the second factor is generated based upon a userpassword.
 6. The method of claim 1, wherein generation of the firstprivate portion based upon the multiple factors includescryptographically combining the multiple factors.
 7. The method of claim1, wherein: the asymmetric crypto-key is a first asymmetric crypto-key;and the first factor is a private key of a second asymmetric crypto-keydifferent than the first asymmetric crypto-key.
 8. The method of 1,further comprising: generating the first private portion based upon themultiple factors, including the stored first factor; non-persistentlystoring the generated first private portion for a limited time period;and during the limited time period applying the stored first privateportion to authenticate the user multiple times.
 9. The method of claim1, further comprising: storing the public key under control of an entityother than the user.
 10. The method of claim 1, wherein: the multiplefactors are a first set of multiple factors; and a third private portionof the split private key is based upon a second set of multiple factors.11. A system for securing an asymmetric crypto-key having a public keyand a split private key with multiple private portions, comprising: afirst data repository configured to store one of multiple factors, allof which are under control of a user, required to generate a firstprivate portion of the split private key, the first private portion notstored in a persistent state and a second data repository configured tostore a second private portion of the split private key, the secondportion under control of an entity other than the user; wherein thefirst private portion and the second private portion are combinable toform a complete private portion.
 12. The system of claim 11, furthercomprising: a third data repository configured to store a second one ofthe multiple factors, the third data repository different than the firstdata repository.
 13. The system of claim 11, wherein: the first datarepository is one of i) a drive associated with a user computing device,and ii) removable media configured to communicate with the user'scomputing device.
 14. The system of claim 11, wherein a second one ofthe multiple factors is not stored in a persistent state.
 15. The systemof claim 14, further comprising: a processor, in communication with thefirst data repository, configured to generate the second factor basedupon a user password.
 16. The system of claim 11, further comprising: aprocessor, in communication with the first data repository, configuredcryptographically combine the multiple factors to generate the firstprivate portion.
 17. The system of claim 11, wherein: the asymmetriccrypto-key is a first asymmetric crypto-key; and the first factor is aprivate key of a second asymmetric crypto-key different than the firstasymmetric crypto-key.
 18. The system of claim 11, wherein: a generatedfirst private portion is non-persistently stored for a limited timeperiod after generation; and during the limited time the stored firstprivate portion is applied to authenticate the user multiple times. 19.The system of claim 11, further comprising: a third data repositoryunder control of an entity other than the user and configured to storethe public key.
 20. The system of claim 11, wherein: the multiplefactors are a first set of multiple factors; and a third private portionof the split private key is based upon a second set of multiple factors.